Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

A Strategy for Addressing Cyber Security Challenges

1,074 views

Published on

Talk that Prof. Mustaque Ahamad from GaTech gave at Global Cybersecurity Leaders Program http://www.cisoacademy.com/gclp2-prof-mustaque-ahamad-april-2015/

Published in: Technology
  • Be the first to comment

  • Be the first to like this

A Strategy for Addressing Cyber Security Challenges

  1. 1. A  Strategy  for  Addressing  Cyber   Security  Challenges   Mustaque  Ahamad   Professor  of  Computer  Science,  Georgia  Ins>tute  of  Technology   Global  Professor  of  Engineering,  New  York  University  Abu  Dhabi   Co-­‐founder  and  Chief  Scien>st,  Pindrop  Security  
  2. 2. A  Couple  of  Observa>ons   •  Cyber  security  has  become  an  extremely   important  problem  for  people,  businesses  and   governments.   •  Addressing  cyber  security  challenges  presents   serious  challenges.   •  Cyber  now  reaches  into  cri>cal  physical   systems.   •  Cyber  security  is  going  to  be  a  journey,  not  a   des>na>on.  
  3. 3. Are  Things  Really  Bad?   •  Growing  sophis>ca>on  of  the  threat  landscape   –  Cyber  criminals,  hack>vits,  terrorists  and  na>on-­‐states   –  Cyber  crime  costs  are  reaching  half  a  trillion  dollars  (In   India,  0.21%  of  GDP,  McAfee  2014  Report)   –  Greatest  transfer  of  wealth  (Keith  Alexander,   hXp://foreignpolicy.com/2012/07/09/nsa-­‐chief-­‐cybercrime-­‐cons>tutes-­‐the-­‐greatest-­‐transfer-­‐of-­‐wealth-­‐in-­‐history/  )   •  Complex  technology  ecosystem   –  “Reflec>ons  on  trus>ng  trust”   •  People,  processes  and  coordina>on  across   mul>ple  stakeholders    
  4. 4. Threats  +  Vulnerabili>es  =>  AXacks   •  Can  we  make  threats  go  away?   •  AXribu>on  is  extremely  difficult   •  Global  and  transna>onal   •  How  can  we  address  vulnerabili>es?   •  Security  errors  in  sofware  (over  1700  entries  in  NVD  in  last   3  months)   •  Asymmetry  –  aXackers  only  need  to  find  one  bug,  we  need   to  fix  all   •  People  are  weak  links   •  Only  higher  assurance,  no  perfect  security   –  Stronger  preven>on  and  early  detec>on   –   Faster  recovery  and  remedia>on  
  5. 5. So,  What  Can  We  Do?   •  Educa>on   – Developing  the  “security  mindset”   – Undergraduate  and  graduate  programs   •  Research   – Rapidly  evolving  field   •  Policy,  legal  and  regula>on   – It  is  much  more  than  technology  
  6. 6. Educa>ng  Cyber  Security  Professionals   •  US  Na>onal  Ini>a>ve  for  Cybersecurity   Educa>on  (NICE)  hXp://csrc.nist.gov/nice/framework/    
  7. 7. Capacity  Building  for  Educa>ng  Cyber   Security  Professionals   •  What  do  we  do?   –  Undergraduate  or  graduate  programs?   –  Integra>ng  security  concepts  in  CS  curriculum?   –  Voca>onal  programs?   •   How  do  we  do  it?   –  So,  where  do  we  find  cyber  security  faculty?   –  Developing  hands  on  projects  and  laboratories   •  US  Response   –  Centers  of  Excellence  Program  (NSA/DHS)   –  Scholarship-­‐for-­‐Service  (SFS)  Program)   –  NSF  SaTC  Educa>on  Projects   •  Curriculum  development,  sharing,  workshops  etc.  
  8. 8. Research  Capacity  Building   •  Evolving  threat  landscape  and  rapidly   changing  technologies   – Gelng  ahead  of  emerging  threats   – “Test  and  verify”  rather  than  “trust  but  verify”   •  Diverse  set  of  research  challenges   – Trustworthiness  of  technology  to  human   dimension   •  Real-­‐world  impact  of  research   – Tech  transfer  and  commercializa>on  
  9. 9. Example  I:  Malware  Analysis   •  Scalable  malware  analysis  system   processes  approximately  250K   samples  a  day   •  Extrac>ng  features  from   communica>on  paXerns   •  Big  data  due  to  deep  packet   analysis  and  event  volume   •  Machine  learning  for  aXribu>on   •  Visualiza>on  and  ac>onable   intelligence               Mariposa  Botnet   Tracking  and  Takedown  
  10. 10. Example  II:  Data-­‐Driven  Cyber  Risk   •  Collect  cyber  risk  relevant  data   from  mul>ple  sources   – Vulnerabili>es   – Exploit  kits  and  malware   – AXack  data  (public  and     private)   •  Analy>cs  and  visualiza>on   – Lean  back  and  lean  forward               Calendar  view  of     reported  vulnerabili>es  
  11. 11. Na>onal  R&D  Strategy:  US  Example   •  Na>onal  Science  Founda>on  Secure  and  Trustworthy   (SaTC)   –  Launched  afer  developing  a  na>onal  strategy  ( hXps://www.whitehouse.gov/sites/default/files/microsites/ostp/fed_cybersecurity_rd_strategic_plan_2011.pdf)   –  Interdisciplinary  including  behavioral  and  economic  aspects   •  DHS,  DARPA  and  NSA  Ini>a>ves   –  Cri>cal  infrastructure  security  (CPS)   –  Resilient  and  transparent  compu>ng   –  Science  of  security   •  Networking  and  Informa>on  Technology  Research  and   Development  (NITRD)  Program   –  Coordinated  across  mul>ple  agencies   –  High  level  goal  is  to  maintain  US  technological  leadership  in  this   field  
  12. 12. Cyber  Security  Policy   •  Policy  development  is  as  important  as  best   technical  safeguards   •  Should  companies  and  government  agencies   required  to  prac>ce  certain  level  of  cyber   hygiene?   •  Informa>on  sharing  and  coordina>on   •  Privacy   •  Legal  and  enforcement  issues  
  13. 13. Lessons  Learned   •  Educa>on  capacity  building   – Aggressively  support  centers  like  CERC  IIIT  Delhi     – CS  curriculum  needs  to  be  augmented  with  cyber   security  offerings  at  all  levels   – “Educa>ng  the  educators”  –  summer  schools,   workshops  and  hosted  programs   – What  do  we  do  about  faculty?   •  Incen>ves  for  CS  faculty  members  to  shif/expand  their   research  into  cyber  security   •  Be  crea>ve  (professor  of  prac>ce,  global  professor  etc.)  
  14. 14. Lessons  Learned  Contd.   •  Research  capacity  building   –  You  cannot  be  a  major  player  without  a  strong  research  base     •  How  many  papers  at  security  conferences  from  India?   –  Launch/seed  a  few  ambi>ous  (and  high  risk)  research  projects   like  NSF’s  fron>ers   –  Start/get  security  conferences  to  India  to  grow  the  community   –  Applied  research  exper>se   •  Cannot  only  rely  on  security  vendor  professionals  for  crisis  handling   •  CDC  for  cyber,  CERT  2.0?   –  Coordina>on  across  Na>onal  Labs,  DRDO??   –  Home  grown  cyber  security  companies??  
  15. 15. Lessons  Learned  Contd.   •  Cyber  security  is  much  more  than  technology   – Policy,  regulatory  and  legal  dimensions   – Cyber  security  maturity  model  and  best  prac>ces   – Preparedness  assessment   – Conversa>ons  at  the  highest  level  (WEF  ini>a>ve)   – Informa>on  sharing,  coordina>on  and  mutual  aid   – Informal  trust  networks  
  16. 16. Conclusions   •  Cyber  risk  ranks  among  the  top  global  risks   (2015  WEF  Global  risks  report)   •  Na>onal  response  is  of  cri>cal  importance   •  Need  to  move  at  “network  speed”   •  It  is  all  about  capacity  building   •  Ignore  research  at  your  own  peril    

×